[bind10-dev] when should we apply ACL in incoming request processing?

Stephen Morris stephen at isc.org
Fri Jun 24 19:40:55 UTC 2011 

On 24/06/2011 19:32, JINMEI Tatuya / 神明達哉 wrote:
> I'm more uncertain about the second point.  The current implementation
> applies the ACL after:
> - parsing the incoming packet (which may result in FORMERR if the
>   packet is broken in some specific ways),
> - refusing unsupported opcode (anything other than normal query for
>   the resolver) with NOTIMP (or NOTAUTH for notify), and
> - refusing a query containing more than one question (with FORMERR)
> 
> So, for example, even if the administrator specifies an ACL rule that
> drops/rejects queries from a specific IP address, the resolver still
> performs the above checks and could return FORMERR, NOTIMP, etc.
> 
> This is compatible with BIND 9's behavior, but I guess administrators
> would rather reject an unwanted packet before doing any deeper
> inspection.  BIND 9 actually has a separate "blackhole" ACL, which is
> applied before doing any protocol level processing, but the current
> implementation of b10-resolver doesn't have an equivalent to that.
> 
> Note that simply applying ACL before doing anything may not really be
> the best except for "blackhole"ing because we could return a REFUSED
> response to a packet that may not even be a DNS message (but is
> somehow delivered to the server).
> 
> Blackholing (in our current terminology, "DROP") may also be
> suboptimal in that it could make the client repeat the query
> unnecessarily.
> 
> So, what should we do?  Any opinions?

Perhaps the answer is not to immediately send a response when a problem
packet is received.  Instead mark it with an attribute that indicates
the problem and apply the ACL.

If we were to extend the ACL to look at the the packet attributes, we
could get fine-tuning of the actions.  Conceptually, something like:

DROP (malformed)
DROP (src-ip: 1.2.3.4 AND unsupported-opcode)

So all malformed packets and unsupported opcode packets from 1.2.3.4
would be marked for dropping.  All others would be allowed by the ACL
check, and normal packet processing would result in an error response
being returned.


Stephen

More information about the bind10-dev mailing list